As part of our ongoing Drupal Commerce module walkthrough, I'm going to show you how to create custom Products. The Commerce Custom Products module allows the creation of custom line items on Products for customer input. Custom line items for Products are essential when the customer must define something about the Product that they're adding to the cart. A few examples of how you may use Commerce Customizable Products includes:
In the modern world of web / application development, using package managers to pull in dependencies has become a de-facto standard. In fact, if you are developing enterprise software and you aren’t leveraging package managers I would go as far to say that you are doing it wrong (I’ll elaborate on this point later in the post).Read more...
Voting is now open for the 2017 At-Large Board positions for the Drupal Association! If you haven't yet, check out the candidate profiles including their short videos found on the profile pages. Get to know your candidates, and then get ready vote.
How does voting work? Voting is open to all individuals who have a Drupal.org account by the time nominations open and who have logged in at least once in the past year.
To vote, you will rank candidates in order of your preference (1st, 2nd, 3rd, etc.). The results will be calculated using an "instant runoff" method. For an accessible explanation of how instant runoff vote tabulation works, see videos linked in this discussion.
Elections will be held from 6 March, 2017 through 18 March, 2017. During this period, you can review and comment on the candidate profiles.
Have questions? Please contact me: Megan Sanicki
Here is where we bring awareness to Drupal modules running on less than 1% of reporting sites. Today we'll consider at Realistic Dummy Content, a module which rewrites node titles and replaces Devel's auto-generated placeholder images and profile pictures with freely licensed stock photos or portraits.
HTTPS Everywhere: Deep Dive Into Making the Switch
In the previous articles, HTTPS Everywhere: Security is Not Just for Banks and HTTPS Everywhere: Quick Start With CloudFlare, I talked about why it’s important to serve even small websites using the secure HTTPS protocol, and provided a quick and easy how-to for sites where you don’t control the server. This article is going to provide a deep dive into SSL terminology and options. Even if you are offloading the work to a service like Cloudflare, it’s good to understand what’s going on behind the scenes. And if you have more control over the server you’ll need a basic understanding of what you need to accomplish and how to go about it.
At a high level, there are a few steps required to set up a website to be served securely over HTTPS:
- Decide what type of certificate to use.
- Install a signed certificate on the server.
- Configure the server to use SSL.
- Review your site for mixed content and other validation issues.
- Redirect all traffic to HTTPS.
- Monitor the certificate expiration date and renew it when it expires.
Your options are dependent on the type of certificate you want and your level of control over the website. If you self-host, you have unlimited choices, but you’ll have to do the work yourself. If you are using a shared host service, you’ll have to see what SSL options your host offers and how they recommend setting it up. Another option is to set up SSL on a proxy service like the Cloudflare CDN, which stands between your website and the rest of the web.
I’m going to go through these steps in detail.Decide Which Certificate to Use
Every distinct domain needs certificates, so if you are serving content at www.example.com and blog.example.com, both domains need to be certified. Certificates are provided by a Certificate Authority (CA). There are numerous CAs that will sell you a certificate, including DigiCert, VeriSign, GlobalSign, and Comodo. There are also CAs that provide free SSL certificates, like LetsEncrypt.
Validation Levels There are several certificate validation levels available.
Domain Validation (DV) degree certificate indicates that the applicant has control over the specified DNS domain. DV certificates do not assure that any particular legal entity is connected to the certificate, even if the domain name may imply that. The name of the organization will not appear next to the lock in the browser since the controlling organization is not validated. DV certificates are relatively inexpensive, or even free. It’s a low level of authentication but provides assurance that the user is not on a spoofed copy of a legitimate site.
Organization Validation (OV) OV certificates verify that the applicant is a legitimate business. Before issuing the SSL certificate, the CA performs a rigorous validation procedure, including checking the applicant's business credentials (such as the Articles of Incorporation) and verifying the accuracy of its physical and Web addresses.
Extended Validation (EV) Extended Validation certificates are the newest type of certificate. They provide more validation than the OV validation level and adhere to industry-wide certification guidelines established by leading Web browser vendors and Certificate Authorities. To clarify the degree of validation, the name of the verified legal identity is displayed in the browser, in green, next to the lock. EV certificates are more expensive than DV or OV certificates because of the extra work they require from the CA. EV certificates convey more trust than the other alternatives, so are appropriate for financial and commerce sites, but they are useful on any site where trust is important.
In addition to the validation levels, there are several types of certificates available.
Single Domain Certificate An individual certificate is issued for a single domain. It can be either DV, OV or EV.
Wildcard Certificate A wildcard certificate will automatically secure any sub-domains that a business adds in the future. They also reduce the number of certificates that need to be tracked. A wildcard domain would be something like *.example.com, which would include www.example.com, blog.example.com, help.example.com, etc. Wildcards work only with DV and OV certificates. EV certificates cannot be provided as wildcard certificates, since every domain must be specifically identified in an EV certificate.
Multi-Domain Subject Alternative Name (SAN) A multi-domain SAN certificate secures multiple domain names on a single certificate. Unlike a wildcard certificate, the domain names can be totally unrelated. It can be used by services like Cloudflare that combine a number of domains into a single certificate. All domains are covered by the same certificate, so they have the same level of credentials. A SAN certificate is often used to provide multiple domains with DV level certification, but EV SAN certificates are also available.Install a Signed Certificate
The process of installing a SSL certificate is initiated on the server where the website is hosted by creating a 2048-bit RSA public/private key pair, then generating a Certificate Signing Request (CSR). The CSR is a block of encoded text that contains information that will be included in the certificate, like the organization name and location, along with the server’s public key. The CA then uses the CSR and the public key to create a signed SSL certificate, or a Certificate Chain. A certificate chain consists of multiple certificates where each certificate vouches for the next. This signed certificate or certificate chain is then installed on the original server. The public key is used to encrypt messages, and they can only be decrypted with the corresponding private key, making it possible for the user and the website to communicate privately with each other.
Obviously, this process is something that only works if you have shell access or a control panel UI to the server. If your site is hosted by a third party, it will be up to the host to determine, how, if at all, they will allow their hosted sites to be served over HTTPS. Most major hosts offer HTTPS, but specific instructions and procedures vary from host to host.
As an alternative, there are services, like Cloudflare, that provide HTTPS for any site, no matter where it is hosted. I discussed this in more detail in my previous article, HTTPS Everywhere: Quick Start With CloudFlare.Configure the Server to Use SSL
The next step is to make sure the website server is configured to use SSL. If a third party manages your servers, like a shared host or CDN, this is handled by the third party and you don’t need to do anything other than determine that it is being handled correctly. If you are managing your own server, you might find Mozilla's handy configuration generator and documentation about Server Side TLS useful.
One important consideration is that the server and its keys should be configured for PFS, an abbreviation for either Perfect Forward Security or Perfect Forward Secrecy. Prior to the implementation of PFS, an attacker could record encrypted traffic over time and store it. If they got access to the private key later, they could then decrypt all that historic data with the private key. Security around the private key might be relaxed once the certificate expires, so this is a genuine issue. PFS ensures that even if the private key gets disclosed later, it can’t be used to decrypt prior encrypted traffic. An example of why this is important is the Heartbleed bug, where PFS would have prevented some of the damage caused by Heartbleed. If you’re using a third-party service for SSL, be sure it uses PFS. Cloudflare does, for instance.
Normally SSL certificates have a one-to-one relationship to the IP address of their domains. Server Name Indication (SNI) is an extension of TLS that provides a way to manage multiple certificates on the same IP address. SNI-compatible browsers (most modern browsers are SNI-compatible) can communicate with the server to retrieve the correct certificate for the domain they are trying to reach, which allows multiple HTTPS sites to be served from a single IP address.
Test the server’s configuration with Qualys' handy SSL Server Test. You can use this test even on servers you don’t control! It will run a battery of tests and give the server a security score for any HTTPS domain.Review Your Site for HTTPS Problems
Once a certificate has been installed, it’s time to scrutinize the site to be sure it is totally valid using HTTPS. This is one of the most important, and potentially time-consuming, steps in switching a site to HTTPS.
To review your site for HTTPS validation, visit it by switching the HTTP in the address to HTTPS and scan the page source. Do this after a certificate has been installed, otherwise, the validation error from the lack of a certificate may prevent other validation errors from even appearing.
There used to be a recommendation to use protocol-relative links, such as //example.com instead of http://example.com, but now the recommendation is to just always use HTTPS, if available since a HTTPS resource works fine under either protocol.
Absolute internal links should not conflate HTTP and HTTPS references. Ideally, all internal links should be relative links anyway, so they will work correctly under either HTTP or HTTPS. There are lots of other benefits of relative links, and few reasons not to use them.
For the most part, stock Drupal websites already use relative links wherever possible. In Drupal, some common sources of mixed content problems include:
- Hard-coded HTTP links in custom block content.
- Hard-coded HTTP links added by content authors in body, text, and link fields.
- Hard-coded HTTP links in custom menu links.
- Hard-coded HTTP links in templates and template functions.
- Contributed modules that hard-code HTTP links in templates or theme functions.
Once you’ve assured yourself that your website passes SSL validation, it’s time to be sure that all traffic goes over HTTPS instead of HTTP. You need 301 redirects from your HTTP pages to HTTPS, especially when switching from HTTP to HTTPS. If a website was already in production on HTTP, search engines have already indexed your pages. The 301 redirect ensures that search engines understand the new pages are a replacement for the old pages.
If you haven’t already, you need to determine whether you prefer the bare domain or the www version, example.com vs www.example.com. You should already be redirecting traffic away from one to the other for good SEO. When you include the HTTP and HTTPS protocols, at a minimum you will have four potential addresses to consider: http://example.com, https://example.com, https://example.com, and https://www.example.com. One of those should survive as your preferred address. You’ll need to set up redirects to reroute traffic away from all the others to that preferred location.
Specific details about how to handle redirects on the website server will vary depending on the operating system and configuration on the server. Shared hosts like Acquia Cloud and Pantheon provide detailed HTTPS redirection instructions that work on their specific configurations. Those instructions could provide useful clues to someone configuring a self-hosted website server as well.HTTP Strict Transport Security (HSTS)
The final level of assurance that all traffic uses HTTPS is to implement the HTTP Strict Transport Security (HSTS) header on the secured site. The HSTS header creates a browser policy to always use HTTPS for the specified domain. Redirects are good, but there is still the potential for a Man-in-the-Middle to intercept the HTTP communication before it gets redirected to HTTPS. With HSTS, after the first communication with a domain, that browser will always initiate communication with HTTPS. The HSTS header contains a max-age when the policy expires, but the max-age is reset every time the user visits the domain. The policy will never expire if the user visits the site regularly, only if they fail to visit within the max-age period.
If you’re using Cloudflare’s SSL, as in my previous article, you can set the HSTS header in Cloudflare’s dashboard. It’s a configuration setting under the “Crypto” tab.Local, Dev, and Stage Environments
A final consideration is whether or not to use HTTPS on all environments, including local, dev, and stage environments. That is truly HTTPS everywhere! If the live site uses HTTPS, it makes sense to use HTTPS in all environments for consistency.HTTPS Is Important
Hopefully, this series of articles provides convincing evidence that it's important for sites of all sizes to start using the HTTPS protocol, and some ideas of how to make that happen. HTTPS Everywhere is a worthy initiative!
DrupalCon Asia started 2016 with a crushing abundance of selfies. There was no mercy for those on the sidelines; get involved or be ignored. However, there's a special few of us who are always there, yet never exactly engaged. We're a special breed of people, giving more of ourselves, to get more acclaim of those around us. We're open source photographers.
Drupal Dev Days has been a recurring event since 2010, when it got started in Munich. Since then it has changed location within Europe every year. This year it is being hosted in Seville, Spain from March 21-25. Dev Days is a special event, and I have my own very fond memories from previous years.
Creating and publishing quality content within time constraints is a common challenge for many content authors. As web engineers, we are focused on helping our clients overcome this challenge by delivering systems that are intuitive, stable, and a pleasure to operate. Customizing the user experience for content authors is a critical component that site architects must implement in order to establish and maintain client satisfaction. Drupal 8 makes it easier for digital agencies to empower content creators and editors with the right tools to get the job done efficiently. Here are five tips in Drupal 8 that make the content authoring experience more enjoyable and productive. Continue reading…
Take a moment to think back to the moment you first discovered it was possible to pursue a career in Drupal. Cast your mind even further back to how you actually heard about Drupal. For many of us, myself included, it was serendipity. A coincidence which changed the course of your life for the better. We read the right article, happened across a meetup, spoke to the right person. Sound familiar? More likely this than thinking at University or school that was the career path we were targeting.
Today Matt Glaman explained how he came to be stood in front of 500 people keynoting at DrupalCamp London. Working as a bar person, hobbyist Drupaler by night, back in 2013 he had no idea being a Drupal developer was a real job. Matt had the good fortune to meet Mike Anello, an inspirational member of the Drupal community. This triggered a chain of events which combined with self-motivation lead to Matt speaking to Ryan Szrama (another Drupalist with infectious enthusiasm) and ultimately working full time for Commerce Guys.
Open Source Software like Drupal (and the communities surrounding them) drives opportunity which can change people's lives. Matt's keynote left me wishing we could move to a situation where we as a project we are not so dependent upon coincidence. It's far from the first time I've felt this way. Vijayachandran Mani was living in rural India. He worked in Drupal for 4 years before really understanding open source or what the community and contribution was. Only when by chance Vijay stumbled across a blog by Dries Buytaert did he discover there were huge employment opportunities for him in India using Drupal. This ultimately resulted in Vijay moving to the UK and becoming a top 20 contributor to Drupal 8 core.
What about all those people we nearly hooked, the ones that weren't in that right place at the right time? The ones not quite brave enough to speak to us at a conference or meetup. How can we reach more of them?
Considering Drupal is celebrated far and wide for it's community, for me Drupal.org is a faceless place. It does not represent the warmth and diversity of our events. The welcoming nature of all we do. Wouldn't it be nice if we humanised this place. Create a special area where some of us could tell our personal story. Of how we came to do the jobs we do, the impact we generate in the real world through open source software. How we work often in modern and distributed ways, creating imaginative solutions for public services, charities, governments, non-profits and business. That being a Drupalist is a real and valuable career path. A place where those with potential to get involved could realise there are others just like them working in Drupal, role models if you will.
I see there being many parallels to this idea and the new industry landing pages the Drupal Association have realised. Not only should Drupal promote itself better to business but also future contributors and those embarking upon a career in digital. I'd welcome your thoughts on this idea.File: unnamed-2.jpg
It's that time of the year again! Time to connect in the South Bay! Stanford Camp is happening March 10th & 11th and will be here before we know it.
Drupal 8.3.x has entered its release candidate phase with the release of 8.3.0-rc1, which means we will now undertake disruptive cleanup tasks like adjusting coding standards. The main standards change during this release candidate phase will be the official adoption of short array syntax, e.g.:
// $array = array('foo', 'bar');
$array = ['foo', 'bar'];
Work is underway to patch core for this change, which will touch many files, so be aware that you will need to reroll patches for conflicts and adjust them to use the new standard.
The Nonprofit Technology Conference is just around the corner, and we’re hard at work making those final preparations for our trip to D.C. We have some exciting things in store for you this year, so mark your calendars!Drupal Salon
This year, we’re honored to coordinate the first ever Drupal Salon at the NTC. In lieu of the traditional pre-conference days as we’ve done in previous years, NTEN set aside space and time for subject matter experts to present nine twenty-minute-long talks on all things Drupal on Thursday, March 23rd. These talks will take place as part of the formal NTC schedule, and sessions can be viewed in the Wordpress & Drupal Salon tracks on the NTC site.
We’re excited to have experts from the Southern Poverty Law Center, Shatterproof, and the Center for Strategic and International Studies share their Drupal insight and experiences. ThinkShout will also be providing one-on-one consulting at our Drupal Salon table, so bring us all of your Drupal questions! Drupal hosting providers Pantheon and Acquia will also be on hand to tackle whatever Drupal hosting questions you may have.
We hope you’ll be able to join us! Here’s what we’ll be talking about:
“Stories that Matter: How the SPLC Responded to the 2016 Election” - Alex Amend, Digital Media Director (The Southern Poverty Law Center)
“Rapid Response Options in Drupal” - Eric Paxton, Senior Front End Engineer (ThinkShout)
“Drupal-Powered Digital Storytelling” - Brett Meyer, Director of Strategy (ThinkShout)
“Drupal as a Hub: Custom Integrations for CSIS” - Ian Gottesman, Chief Information Officer (CSIS)
“Integrating Drupal and Salesforce” - Lev Tsypin, President & CEO (ThinkShout)
“Event Registration with Drupal” - Gabe Carleton-Barnes, Engineering Manager (ThinkShout)
“How Shatterproof Fights Addiction with Compelling Content” - Anthony Della Camera, Technology Director & Jessica Ishikawa, Interactive Designer (Shatterproof)
“Content Modeling for Drupal-based Websites” - Brett Meyer, Director of Strategy (ThinkShout)
“Leveraging Drupal in Your Marketing Strategies” - Natania LeClerc, Senior Digital Engagement Strategist (ThinkShout)
We’re confident that the Drupal Salon sessions will have a little something for everyone, and we look forward to connecting with the nonprofit community with this new format.Meet the ThinkShout Team
Be sure to catch our team session on March 23rd, as well!
- “How to Learn to Stop Worrying and Love Your Digital Agency” - Alex Amend (Southern Poverty Law Center), Michele Kayal (Relief International), Alex MacMillan (ThinkShout), and Lev Tsypin (ThinkShout)
The ThinkShout team will have a presence in the Exhibit Hall this year, of course. Stop by our booth (#501) and chat; we’ll be debuting brand new t-shirts and we’re excited to share them with you all (for free)! This is a great opportunity to learn more about our work and the organizations we partner with. We’re also available to talk about anything B Corp related, so send those questions our way!
If you’d like to schedule a time to meet with our staff at the NTC in advance, drop us a line through our contact form. See you in the capitol!
One of our OSTraining members asked us how to make a user input form using Drupal 8 Webform module. So, we thought what could be a more useful answer than a comprehensive, easy to follow lesson.
The most potent Drupal module for creating very complex layouts is definitely Panels. It integrates with a lot of other parts of your Drupal site, so you can show views, nodes, webforms, blocks, and pretty much anything else you can think of. Page builder is very easy to use and allows administrators visual representation of complex pages.
As you know, we've been highlighting the work of the Drupal Association Engineering Team during our membership campaign. Every day, this small team moves the needle forward so that we all have a better experience as users of Drupal.org. In this post, we explore how the team's recent work results in faster, less expensive Drupal development.Helping Drupal development move faster with DrupalCI
DrupalCI testbots are the next generation of testing infrastructure for Drupal.org, funded by the Drupal Association and maintained by the Engineering team. For any project on the site, DrupalCI testing can be enabled from the Automated Testing link on the Project page. Every time a contribution to the Drupal project needs to be tested, DrupalCI spins up a testbot on AWS to test those changes. The DrupalCI testbots are helping Drupal contributors to test patches faster than ever before and they are more cost effective than our last generation testbots, both in price-per-test and in expense to maintain.
In recent months, we've added a number of new features including:
checkstyle testing to ensure code contributions adhere to Drupal coding standards
automatic builds of vagrant boxes so you can easily use DrupalCI testing on your local machine
updates to the PHP containers to make tests compatible with a variety of PHP versions
We're proud to say that our work on DrupalCI has increased the speed of Drupal development, saving time and money!
Want to keep up with the engineering team? Subscribe to change notifications so you can see ongoing improvements.Making the greatest impact with member and donor funds with a leaner Drupal.org
Drupal.org is more portable and maintainable because of updates in 2016 that streamline our infrastructure. We've virtualized the majority of the infrastructure and standardized on Debian 8 images. We've also updated our configuration and user management from Puppet 3 + LDAP to Puppet 4 + Hiera. Dev sites are more robust and we can create staging and development environments faster than before.
All of this makes Drupal.org more cost-effective to run, easier to maintain, and increases our development velocity when we're working on new features to support the community. These efficiencies help to conserve membership and donor funds for other programs to help the Drupal community, like fiscal sponsorship for camps, and Community Cultivation Grants.Improving developers' lives by supporting Composer workflows for Drupal
Composer is the defacto standard for managing dependencies in the PHP world. Over the course of 2016, the Drupal Association Engineering Team developed Composer endpoints for Drupal allowing Drupal developers to use Composer to manage dependencies, and allowing PHP developers at large to manage Drupal as part of their larger PHP projects in this standard workflow.
Composer is a force multiplier for enterprise site owners and developers within the Drupal community and at large. By supporting Composer, we've further opened Drupal to the wider PHP community, thus bringing new people into the fold to contribute.
A big thanks to everyone who helped with Composer: seldeak - the creator of Composer and Packagist.org, webflo - the creator and maintainer of http://packagist.drupal-composer.org, timmillwood, dixon_, badjava, cweagans, tstoeckler, mile23, and also Appnovation, who sponsored the initial development of Drupal.org's composer endpoints.A more secure home for the Drupal community
Keeping Drupal.org secure is also the responsibility of the Drupal Association Engineering Team (though we rely on some trusted volunteers to help - thanks, mlhess and basic!). From heartbleed, to dirtycow, to cloudbleed - the team is always ready to respond when a vulnerability is disclosed. But the team is not just reactive - they also take proactive steps to keep Drupal.org and all our users' data safe. From ensuring that most of our servers are only available to each other on a back-end network, to putting in protections against DDOS attacks, to building anti-spam tools to prevent bad actors from registering accounts on the site- the Engineering Team is looking to prevent problems before they happen.We'll keep at it, with your support
Every day, we're on call to keep Drupal.org running and improving. The list of small changes we make to have a big impact on your Drupal.org experience grows by the day. You can help sustain the work of the Drupal Association by joining as a member. Thank you!
Acquia announced Monday that Chapter Three was one of its top three growth partners in 2016!
Chapter Three has developed and hosted multi-site installations for large companies like CooperVision and Memorial Care on the Acquia platform for over four years, and we partner with Acquia to host many more sites.
"Chapter Three partners with Acquia to create enterprise class solutions," explains Chapter Three managing partner, John Faber. "We use the Acquia platform for our Drupal 8 sites, supporting our clients by supporting each other."
Data protection is one of the primary advantages of Drupal, but sometimes there are exceptions to the rule and you might need to modify a field to account for some change in business needs. There are a few rule bends (read hacks) that can be done to circumvent Drupal's checks and still maintain data integrity. You should only perform this when extending a field or changing something reasonable that is allowed by the database server. For example, expanding a varchar length or changing unformatted string into a formatted text field.